-3

Im having a trouble with a PHP Login form.

When Username + Password is Correct everything works fine , but when its incorrect it gives an error :

Notice: Trying to access array offset on value of type null in /opt/lampp/htdocs/login/process.php on line 20 Login Failed!

I know is something related with the mysqli_fetch_array but i dont know what.

PHP is last version 7.4.8

<?php
// Get values from form in login.php

$username = $_POST['user'];
$password = $_POST['password'];

// To prevent SQL injection
$username = stripcslashes($username);
$password = stripcslashes($password);
// $username = mysql_real_escape_string($username);
// $password = mysql_real_escape_string($password);

// Database Connection
$con = mysqli_connect("localhost","root","1234", "login");

// Query the Db for username
$result = mysqli_query($con, "SELECT * FROM users WHERE username = '$username' AND password = '$password'")
        or die("Fail to connect to database".mysql_error());
$row = mysqli_fetch_array($result);
if ($row['username'] == $username && $row['password'] == $password){
    echo "Login succesfull!";
} else {
    echo "Login Failed!";
}
Dharman
  • 30,962
  • 25
  • 85
  • 135
Southsound-dev
  • 15
  • 1
  • 1
  • 4
  • `or die("Fail to connect to database".mysql_error());` – a) this is not the part where you try to make the database _connection_, and b) you are mixing mysqli and mysql functions here (which you can’t do.) – CBroe Aug 28 '20 at 07:37
  • You don't check if a row is retrieved, so when the details aren't correct `$row` won't contain an array. – Nigel Ren Aug 28 '20 at 07:38
  • Does this answer your question? [Turning query errors to Exceptions in MySQLi](https://stackoverflow.com/questions/14578243/turning-query-errors-to-exceptions-in-mysqli) – CBroe Aug 28 '20 at 07:38
  • You shouldn't be storing passwords as plain text, have a read of [How to use PHP's password_hash to hash and verify passwords](https://stackoverflow.com/questions/30279321/how-to-use-phps-password-hash-to-hash-and-verify-passwords). Also learn to use prepared statements. – Nigel Ren Aug 28 '20 at 07:39
  • 1
    `// To prevent SQL injection` – absolutely massively wrong what you are doing there. Go read up on how to do this _properly_; and then go read up on prepared statements, and use those _instead_. – CBroe Aug 28 '20 at 07:39
  • **Warning:** You are wide open to [SQL Injections](https://stackoverflow.com/a/60496/1839439) and should use parameterized **prepared statements** instead of manually building your queries. They are provided by [PDO](https://php.net/manual/pdo.prepared-statements.php) or by [MySQLi](https://php.net/manual/mysqli.quickstart.prepared-statements.php). Never trust any kind of input! Even when your queries are executed only by trusted users, [you are still in risk of corrupting your data](http://bobby-tables.com/). [Escaping is not enough!](https://stackoverflow.com/q/5741187) – Dharman Aug 28 '20 at 11:09

2 Answers2

1

The problem is because the $row variable initialised as:

$row = mysqli_fetch_array($result);

is equal to null, when no user matches the provided password and username. The quick fix is to extend the condition for successful login to include a null check:

if ($row !== null && $row['username'] == $username && $row['password'] == $password) {
    echo "Login succesfull!";
}

On a side note, know that escaping values using mysql_real_escape_string may still not be enough to prevent SQL Injection. Instead, a prepared statement with typed parameters should be used.

Also, storing passwords in a plain text is really not a good idea. It'd be recommended to implement a mechanism using e.g. the password_hash and password_verify functions.

Andy
  • 1,127
  • 2
  • 12
  • 25
  • i will doublecheck the code anyway , thanks everybody for the suggestions ! – Southsound-dev Aug 28 '20 at 07:49
  • @Southsound-dev although this solution would work, please, do consider reading about proper password handling and SQL injection prevention. The current format of your code is prone to several security attacks. – Andy Aug 28 '20 at 07:50
0
$result = mysqli_query($con, "SELECT * FROM users WHERE username = '$username' AND password = '$password'")
        or die("Fail to connect to database".mysql_error());
if(mysqli_num_rows($result) > 0) {
    echo "Login succesfull!";
} else {
    echo "Login Failed!";
}
John V
  • 875
  • 6
  • 12